A Message from the Dark Side:

Preface:

This blog is authored by one of our industry peers who, due to the sensitive nature of their work and the wishes of their clients, prefers to be unnamed. The cybersecurity industry is a complex ecosystem made up of private practitioners, government agency experts, engineers, and hackers. All are working together to achieve the best possible outcomes, but privacy for practitioners is often essential. We respect that and appreciate all our peers and their contributions to the field.

I hear a lot of people compare securing their IT networks to how they would secure a house. But when most people turn the lock on their front door at night, they feel safe enough to go to bed and sleep peacefully. They don’t live with the reality that thousands of attackers of all shapes and sizes will be attempting to break in throughout the night, and into the next day – jimmying the side doors, breaking upstairs windows, sneaking into basements – or worse, that someone like me may already own a set of keys and could walk right in the front door. Instead, they tend to rely on common security controls like MFA, firewalls, or endpoint detection and response (EDR) and think, “Hey, I’m compliant. I’m doing what I can for security. We’re going to be fine unless something crazy happens.” After all, their vendors promised that if they just installed this new tool, they’d have the silver bullet and be secure from then on.

Reality is a bit messier than that, and the house metaphor breaks down quickly if you’re someone like me. Attackers are really good at building layered attacks that are designed to evade detection. I can even automate them, or deliver a malicious script through next gen social engineering that will fool even your savviest people. The reason we “good guys” choose not to is because we have a sense of ethics – but trust me, there are more bad actors out there than ethical hackers. And this should scare you a little – hackers can establish persistence in your network completely undetected, by establishing private channels between your environment and themselves, through which they can execute any number of destructive activities. If you find an anomaly and remediate it, our scripts will just automatically reestablish the tunnel/connection once you complete the task, you will think the problem has been remediated and move on to the next task. Typically, this is done by building encrypted, 2-way “tunnels” into your systems that your security tools can’t read. How do I know? I’ve seen it done time and time again. It’s not hard to do, but you have to start thinking like a hacker.

I don’t say these things with the intention of creating fear. I say them because if you know how it works, you will know how to prepare. The fewer attacks productive organizations fall prey to, the better it is for everyone – for your industry, for client trust, and even for our economy.

The fact is, you need to PLAN for these attacks, because they are a certainty – a matter of when, not if. Hacker-minded security professionals can help you build detailed decision tree type plans for what happens next when each layer of your defenses has failed (because eventually, they will). You need an if-then plan that’s directly aligned to each of your existing security controls, with contingency plans for what to do when each one is bypassed or disabled – and contingencies for the contingencies. “When my MDR tool fails, XYZ will kick in via these specific processes…. When XYZ fails,” and so on.

I get it. Nobody really wants to think this way. After all, most people go into IT or cybersecurity because they want to do good. You may have, like members of an elite Star Fleet, a sense of purpose, a mission. If this describes you, you’re probably a really good person with positive intentions for the world. You don’t think about all the evil that could be done, because you’re focused on the positive goals in front of you. There are lists of best practices, procedures, and steps to take to build a strong security program – but none of that will prepare you for someone who attacks with the kind of tactics people like me can throw at you. Just assume they (we) will get in. I do this for a good cause, but there is a whole global community out there full of people who are basically cyber mercenaries. These people work for money and don’t care who wants to get into your environment or what their benefactors do with your data and systems once they’re in, so long as they get paid in the process.

I would encourage you to listen to and work with people who base their consulting on first-hand experience with what’s called “white hat” attack methodology. That means, basically, that they know how to break all your defenses – making them the best people to help you secure yourself against attack. I always say, if you don’t know every single way to break into your systems, you can’t secure them. So, find someone who breaks things for a living and have them help bolster your defense plans.

As a follow-on, we invite you to watch CISO Global’s most recent live discussion about how to prepare for failure of your security controls.

If you’d like to speak with an expert about developing a security strategy to keep attackers out, we’d love to hear from you. Contact us today.

---